2004-07-08 11:17:47 -04:00
|
|
|
|
2004-09-28 04:34:51 -04:00
|
|
|
/*
|
2004-09-29 12:00:49 -04:00
|
|
|
* Copyright (C) Igor Sysoev
|
2012-01-18 12:07:43 -03:00
|
|
|
* Copyright (C) Nginx, Inc.
|
2004-09-28 04:34:51 -04:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
2004-07-08 11:17:47 -04:00
|
|
|
#include <ngx_config.h>
|
|
|
|
#include <ngx_core.h>
|
|
|
|
#include <ngx_http.h>
|
|
|
|
|
2023-02-22 12:16:53 -03:00
|
|
|
#if (NGX_QUIC_OPENSSL_COMPAT)
|
|
|
|
#include <ngx_event_quic_openssl_compat.h>
|
|
|
|
#endif
|
|
|
|
|
nginx-0.3.8-RELEASE import
*) Security: nginx now checks URI got from a backend in
"X-Accel-Redirect" header line or in SSI file for the "/../" paths
and zeroes.
*) Change: nginx now does not treat the empty user name in the
"Authorization" header line as valid one.
*) Feature: the "ssl_session_timeout" directives of the
ngx_http_ssl_module and ngx_imap_ssl_module.
*) Feature: the "auth_http_header" directive of the
ngx_imap_auth_http_module.
*) Feature: the "add_header" directive.
*) Feature: the ngx_http_realip_module.
*) Feature: the new variables to use in the "log_format" directive:
$bytes_sent, $apache_bytes_sent, $status, $time_gmt, $uri,
$request_time, $request_length, $upstream_status,
$upstream_response_time, $gzip_ratio, $uid_got, $uid_set,
$connection, $pipe, and $msec. The parameters in the "%name" form
will be canceled soon.
*) Change: now the false variable values in the "if" directive are the
empty string "" and string starting with "0".
*) Bugfix: while using proxied or FastCGI-server nginx may leave
connections and temporary files with client requests in open state.
*) Bugfix: the worker processes did not flush the buffered logs on
graceful exit.
*) Bugfix: if the request URI was changes by the "rewrite" directive
and the request was proxied in location given by regular expression,
then the incorrect request was transferred to backend; the bug had
appeared in 0.2.6.
*) Bugfix: the "expires" directive did not remove the previous
"Expires" header.
*) Bugfix: nginx may stop to accept requests if the "rtsig" method and
several worker processes were used.
*) Bugfix: the "\"" and "\'" escape symbols were incorrectly handled in
SSI commands.
*) Bugfix: if the response was ended just after the SSI command and
gzipping was used, then the response did not transferred complete or
did not transferred at all.
2005-11-09 14:25:55 -03:00
|
|
|
|
2006-08-09 15:59:45 -04:00
|
|
|
typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
|
|
|
|
ngx_pool_t *pool, ngx_str_t *s);
|
2006-02-08 12:33:12 -03:00
|
|
|
|
|
|
|
|
2011-07-20 11:42:40 -04:00
|
|
|
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
|
2016-05-19 07:46:32 -04:00
|
|
|
#define NGX_DEFAULT_ECDH_CURVE "auto"
|
2004-07-08 11:17:47 -04:00
|
|
|
|
2021-10-20 03:50:02 -03:00
|
|
|
#define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9"
|
2014-01-28 20:33:49 -03:00
|
|
|
|
|
|
|
|
|
|
|
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
|
|
|
static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
|
|
|
|
const unsigned char **out, unsigned char *outlen,
|
|
|
|
const unsigned char *in, unsigned int inlen, void *arg);
|
|
|
|
#endif
|
2004-07-08 11:17:47 -04:00
|
|
|
|
2006-08-09 15:59:45 -04:00
|
|
|
static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
|
2006-05-06 12:28:56 -04:00
|
|
|
ngx_http_variable_value_t *v, uintptr_t data);
|
2006-08-09 15:59:45 -04:00
|
|
|
static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
|
2006-05-06 12:28:56 -04:00
|
|
|
ngx_http_variable_value_t *v, uintptr_t data);
|
2006-02-08 12:33:12 -03:00
|
|
|
|
|
|
|
static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
|
2004-07-08 11:17:47 -04:00
|
|
|
static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
|
|
|
|
static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
|
2005-03-19 08:38:37 -04:00
|
|
|
void *parent, void *child);
|
2004-07-08 11:17:47 -04:00
|
|
|
|
2019-02-25 10:42:05 -03:00
|
|
|
static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
|
|
|
|
ngx_http_ssl_srv_conf_t *conf);
|
|
|
|
|
2008-09-01 10:19:01 -04:00
|
|
|
static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
|
|
void *conf);
|
2014-06-16 11:43:25 -04:00
|
|
|
static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
|
|
void *conf);
|
2007-01-02 20:55:05 -03:00
|
|
|
static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
|
|
void *conf);
|
2020-05-22 10:25:27 -04:00
|
|
|
static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
|
|
void *conf);
|
2007-01-02 20:55:05 -03:00
|
|
|
|
2020-10-22 12:00:22 -03:00
|
|
|
static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post,
|
|
|
|
void *data);
|
|
|
|
|
2012-10-01 09:47:55 -03:00
|
|
|
static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
|
|
|
|
|
2004-07-08 11:17:47 -04:00
|
|
|
|
2005-09-30 10:41:25 -04:00
|
|
|
static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = {
|
|
|
|
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 },
|
|
|
|
{ ngx_string("SSLv3"), NGX_SSL_SSLv3 },
|
|
|
|
{ ngx_string("TLSv1"), NGX_SSL_TLSv1 },
|
2012-01-11 08:15:00 -03:00
|
|
|
{ ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
|
|
|
|
{ ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
|
2017-04-18 09:12:38 -03:00
|
|
|
{ ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
|
2005-09-30 10:41:25 -04:00
|
|
|
{ ngx_null_string, 0 }
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2008-07-29 10:29:02 -04:00
|
|
|
static ngx_conf_enum_t ngx_http_ssl_verify[] = {
|
|
|
|
{ ngx_string("off"), 0 },
|
|
|
|
{ ngx_string("on"), 1 },
|
2009-07-22 13:41:42 -04:00
|
|
|
{ ngx_string("optional"), 2 },
|
2012-10-03 12:24:08 -03:00
|
|
|
{ ngx_string("optional_no_ca"), 3 },
|
2008-07-29 10:29:02 -04:00
|
|
|
{ ngx_null_string, 0 }
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2020-05-22 10:30:12 -04:00
|
|
|
static ngx_conf_enum_t ngx_http_ssl_ocsp[] = {
|
|
|
|
{ ngx_string("off"), 0 },
|
|
|
|
{ ngx_string("on"), 1 },
|
|
|
|
{ ngx_string("leaf"), 2 },
|
|
|
|
{ ngx_null_string, 0 }
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2018-04-25 08:57:24 -03:00
|
|
|
static ngx_conf_deprecated_t ngx_http_ssl_deprecated = {
|
|
|
|
ngx_conf_deprecated, "ssl", "listen ... ssl"
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2020-10-22 12:00:22 -03:00
|
|
|
static ngx_conf_post_t ngx_http_ssl_conf_command_post =
|
|
|
|
{ ngx_http_ssl_conf_command_check };
|
|
|
|
|
|
|
|
|
2004-07-16 13:11:43 -04:00
|
|
|
static ngx_command_t ngx_http_ssl_commands[] = {
|
2004-07-08 11:17:47 -04:00
|
|
|
|
2004-07-15 12:35:51 -04:00
|
|
|
{ ngx_string("ssl"),
|
2006-01-16 11:56:53 -03:00
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
2008-09-01 10:19:01 -04:00
|
|
|
ngx_http_ssl_enable,
|
2004-07-08 11:17:47 -04:00
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, enable),
|
2018-04-25 08:57:24 -03:00
|
|
|
&ngx_http_ssl_deprecated },
|
2004-07-08 11:17:47 -04:00
|
|
|
|
|
|
|
{ ngx_string("ssl_certificate"),
|
2006-01-16 11:56:53 -03:00
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
2016-05-19 07:46:32 -04:00
|
|
|
ngx_conf_set_str_array_slot,
|
2004-07-08 11:17:47 -04:00
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
2016-05-19 07:46:32 -04:00
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, certificates),
|
2004-07-08 11:17:47 -04:00
|
|
|
NULL },
|
|
|
|
|
|
|
|
{ ngx_string("ssl_certificate_key"),
|
2006-01-16 11:56:53 -03:00
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
2016-05-19 07:46:32 -04:00
|
|
|
ngx_conf_set_str_array_slot,
|
2004-07-08 11:17:47 -04:00
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
2016-05-19 07:46:32 -04:00
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, certificate_keys),
|
2004-07-08 11:17:47 -04:00
|
|
|
NULL },
|
|
|
|
|
2014-06-16 11:43:25 -04:00
|
|
|
{ ngx_string("ssl_password_file"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_http_ssl_password_file,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
0,
|
|
|
|
NULL },
|
|
|
|
|
2008-06-16 01:51:32 -04:00
|
|
|
{ ngx_string("ssl_dhparam"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_str_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, dhparam),
|
|
|
|
NULL },
|
|
|
|
|
2011-07-20 11:42:40 -04:00
|
|
|
{ ngx_string("ssl_ecdh_curve"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_str_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve),
|
|
|
|
NULL },
|
|
|
|
|
2005-09-30 10:41:25 -04:00
|
|
|
{ ngx_string("ssl_protocols"),
|
2005-10-19 09:33:58 -03:00
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
|
2005-09-30 10:41:25 -04:00
|
|
|
ngx_conf_set_bitmask_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, protocols),
|
|
|
|
&ngx_http_ssl_protocols },
|
|
|
|
|
nginx-0.1.14-RELEASE import
*) Feature: the autoconfiguration directives:
--http-client-body-temp-path=PATH, --http-proxy-temp-path=PATH, and
--http-fastcgi-temp-path=PATH
*) Change: the directory name for the temporary files with the client
request body is specified by directive client_body_temp_path, by
default it is <prefix>/client_body_temp.
*) Feature: the ngx_http_fastcgi_module and the directives:
fastcgi_pass, fastcgi_root, fastcgi_index, fastcgi_params,
fastcgi_connect_timeout, fastcgi_send_timeout, fastcgi_read_timeout,
fastcgi_send_lowat, fastcgi_header_buffer_size, fastcgi_buffers,
fastcgi_busy_buffers_size, fastcgi_temp_path,
fastcgi_max_temp_file_size, fastcgi_temp_file_write_size,
fastcgi_next_upstream, and fastcgi_x_powered_by.
*) Bugfix: the "[alert] zero size buf" error; the bug had appeared in
0.1.3.
*) Change: the URI must be specified after the host name in the
proxy_pass directive.
*) Change: the %3F symbol in the URI was considered as the argument
string start.
*) Feature: the unix domain sockets support in the
ngx_http_proxy_module.
*) Feature: the ssl_engine and ssl_ciphers directives.
Thanks to Sergey Skvortsov for SSL-accelerator.
2005-01-18 10:03:58 -03:00
|
|
|
{ ngx_string("ssl_ciphers"),
|
2005-10-19 09:33:58 -03:00
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
nginx-0.1.14-RELEASE import
*) Feature: the autoconfiguration directives:
--http-client-body-temp-path=PATH, --http-proxy-temp-path=PATH, and
--http-fastcgi-temp-path=PATH
*) Change: the directory name for the temporary files with the client
request body is specified by directive client_body_temp_path, by
default it is <prefix>/client_body_temp.
*) Feature: the ngx_http_fastcgi_module and the directives:
fastcgi_pass, fastcgi_root, fastcgi_index, fastcgi_params,
fastcgi_connect_timeout, fastcgi_send_timeout, fastcgi_read_timeout,
fastcgi_send_lowat, fastcgi_header_buffer_size, fastcgi_buffers,
fastcgi_busy_buffers_size, fastcgi_temp_path,
fastcgi_max_temp_file_size, fastcgi_temp_file_write_size,
fastcgi_next_upstream, and fastcgi_x_powered_by.
*) Bugfix: the "[alert] zero size buf" error; the bug had appeared in
0.1.3.
*) Change: the URI must be specified after the host name in the
proxy_pass directive.
*) Change: the %3F symbol in the URI was considered as the argument
string start.
*) Feature: the unix domain sockets support in the
ngx_http_proxy_module.
*) Feature: the ssl_engine and ssl_ciphers directives.
Thanks to Sergey Skvortsov for SSL-accelerator.
2005-01-18 10:03:58 -03:00
|
|
|
ngx_conf_set_str_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, ciphers),
|
|
|
|
NULL },
|
|
|
|
|
2013-12-20 09:18:25 -03:00
|
|
|
{ ngx_string("ssl_buffer_size"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_size_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, buffer_size),
|
|
|
|
NULL },
|
|
|
|
|
2006-05-06 12:28:56 -04:00
|
|
|
{ ngx_string("ssl_verify_client"),
|
2011-11-14 06:12:15 -03:00
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
2008-07-29 10:29:02 -04:00
|
|
|
ngx_conf_set_enum_slot,
|
2006-05-06 12:28:56 -04:00
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, verify),
|
2008-07-29 10:29:02 -04:00
|
|
|
&ngx_http_ssl_verify },
|
2006-05-06 12:28:56 -04:00
|
|
|
|
|
|
|
{ ngx_string("ssl_verify_depth"),
|
2014-01-14 08:56:40 -03:00
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
2006-05-06 12:28:56 -04:00
|
|
|
ngx_conf_set_num_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, verify_depth),
|
|
|
|
NULL },
|
|
|
|
|
|
|
|
{ ngx_string("ssl_client_certificate"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_str_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
|
|
|
|
NULL },
|
|
|
|
|
2012-10-01 09:39:36 -03:00
|
|
|
{ ngx_string("ssl_trusted_certificate"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_str_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
|
|
|
|
NULL },
|
|
|
|
|
2005-09-30 10:41:25 -04:00
|
|
|
{ ngx_string("ssl_prefer_server_ciphers"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
|
|
ngx_conf_set_flag_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
|
|
|
|
NULL },
|
|
|
|
|
2007-01-02 20:55:05 -03:00
|
|
|
{ ngx_string("ssl_session_cache"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12,
|
|
|
|
ngx_http_ssl_session_cache,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
0,
|
|
|
|
NULL },
|
|
|
|
|
2014-01-10 12:12:40 -03:00
|
|
|
{ ngx_string("ssl_session_tickets"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
|
|
ngx_conf_set_flag_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, session_tickets),
|
|
|
|
NULL },
|
|
|
|
|
2013-10-11 20:05:24 -03:00
|
|
|
{ ngx_string("ssl_session_ticket_key"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_str_array_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, session_ticket_keys),
|
|
|
|
NULL },
|
|
|
|
|
nginx-0.3.8-RELEASE import
*) Security: nginx now checks URI got from a backend in
"X-Accel-Redirect" header line or in SSI file for the "/../" paths
and zeroes.
*) Change: nginx now does not treat the empty user name in the
"Authorization" header line as valid one.
*) Feature: the "ssl_session_timeout" directives of the
ngx_http_ssl_module and ngx_imap_ssl_module.
*) Feature: the "auth_http_header" directive of the
ngx_imap_auth_http_module.
*) Feature: the "add_header" directive.
*) Feature: the ngx_http_realip_module.
*) Feature: the new variables to use in the "log_format" directive:
$bytes_sent, $apache_bytes_sent, $status, $time_gmt, $uri,
$request_time, $request_length, $upstream_status,
$upstream_response_time, $gzip_ratio, $uid_got, $uid_set,
$connection, $pipe, and $msec. The parameters in the "%name" form
will be canceled soon.
*) Change: now the false variable values in the "if" directive are the
empty string "" and string starting with "0".
*) Bugfix: while using proxied or FastCGI-server nginx may leave
connections and temporary files with client requests in open state.
*) Bugfix: the worker processes did not flush the buffered logs on
graceful exit.
*) Bugfix: if the request URI was changes by the "rewrite" directive
and the request was proxied in location given by regular expression,
then the incorrect request was transferred to backend; the bug had
appeared in 0.2.6.
*) Bugfix: the "expires" directive did not remove the previous
"Expires" header.
*) Bugfix: nginx may stop to accept requests if the "rtsig" method and
several worker processes were used.
*) Bugfix: the "\"" and "\'" escape symbols were incorrectly handled in
SSI commands.
*) Bugfix: if the response was ended just after the SSI command and
gzipping was used, then the response did not transferred complete or
did not transferred at all.
2005-11-09 14:25:55 -03:00
|
|
|
{ ngx_string("ssl_session_timeout"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_sec_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, session_timeout),
|
|
|
|
NULL },
|
|
|
|
|
2009-07-23 08:21:26 -04:00
|
|
|
{ ngx_string("ssl_crl"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_str_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, crl),
|
|
|
|
NULL },
|
|
|
|
|
2020-05-22 10:30:12 -04:00
|
|
|
{ ngx_string("ssl_ocsp"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
|
|
ngx_conf_set_enum_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, ocsp),
|
|
|
|
&ngx_http_ssl_ocsp },
|
|
|
|
|
|
|
|
{ ngx_string("ssl_ocsp_responder"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_str_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder),
|
|
|
|
NULL },
|
|
|
|
|
2020-05-22 10:25:27 -04:00
|
|
|
{ ngx_string("ssl_ocsp_cache"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_http_ssl_ocsp_cache,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
0,
|
|
|
|
NULL },
|
|
|
|
|
2012-10-01 09:41:08 -03:00
|
|
|
{ ngx_string("ssl_stapling"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
|
|
ngx_conf_set_flag_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, stapling),
|
|
|
|
NULL },
|
|
|
|
|
|
|
|
{ ngx_string("ssl_stapling_file"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_str_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
|
|
|
|
NULL },
|
|
|
|
|
2012-10-01 09:47:55 -03:00
|
|
|
{ ngx_string("ssl_stapling_responder"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
|
|
|
ngx_conf_set_str_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
|
|
|
|
NULL },
|
|
|
|
|
2012-10-01 09:53:11 -03:00
|
|
|
{ ngx_string("ssl_stapling_verify"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
|
|
ngx_conf_set_flag_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
|
|
|
|
NULL },
|
|
|
|
|
2018-08-06 19:16:07 -04:00
|
|
|
{ ngx_string("ssl_early_data"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
|
|
ngx_conf_set_flag_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, early_data),
|
|
|
|
NULL },
|
|
|
|
|
2020-10-22 12:00:22 -03:00
|
|
|
{ ngx_string("ssl_conf_command"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2,
|
|
|
|
ngx_conf_set_keyval_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, conf_commands),
|
|
|
|
&ngx_http_ssl_conf_command_post },
|
|
|
|
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
{ ngx_string("ssl_reject_handshake"),
|
|
|
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
|
|
|
ngx_conf_set_flag_slot,
|
|
|
|
NGX_HTTP_SRV_CONF_OFFSET,
|
|
|
|
offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
|
|
|
|
NULL },
|
|
|
|
|
2004-07-08 11:17:47 -04:00
|
|
|
ngx_null_command
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2004-07-16 13:11:43 -04:00
|
|
|
static ngx_http_module_t ngx_http_ssl_module_ctx = {
|
2006-02-08 12:33:12 -03:00
|
|
|
ngx_http_ssl_add_variables, /* preconfiguration */
|
2012-10-01 09:47:55 -03:00
|
|
|
ngx_http_ssl_init, /* postconfiguration */
|
2004-07-08 11:17:47 -04:00
|
|
|
|
2005-09-08 10:36:09 -04:00
|
|
|
NULL, /* create main configuration */
|
|
|
|
NULL, /* init main configuration */
|
2004-07-08 11:17:47 -04:00
|
|
|
|
|
|
|
ngx_http_ssl_create_srv_conf, /* create server configuration */
|
|
|
|
ngx_http_ssl_merge_srv_conf, /* merge server configuration */
|
|
|
|
|
|
|
|
NULL, /* create location configuration */
|
2005-02-03 16:33:37 -03:00
|
|
|
NULL /* merge location configuration */
|
2004-07-08 11:17:47 -04:00
|
|
|
};
|
|
|
|
|
|
|
|
|
2004-07-16 13:11:43 -04:00
|
|
|
ngx_module_t ngx_http_ssl_module = {
|
nginx-0.1.29-RELEASE import
*) Feature: the ngx_http_ssi_module supports "include virtual" command.
*) Feature: the ngx_http_ssi_module supports the condition command like
'if expr="$NAME"' and "else" and "endif" commands. Only one nested
level is supported.
*) Feature: the ngx_http_ssi_module supports the DATE_LOCAL and
DATE_GMT variables and "config timefmt" command.
*) Feature: the "ssi_ignore_recycled_buffers" directive.
*) Bugfix: the "echo" command did not show the default value for the
empty QUERY_STRING variable.
*) Change: the ngx_http_proxy_module was rewritten.
*) Feature: the "proxy_redirect", "proxy_pass_request_headers",
"proxy_pass_request_body", and "proxy_method" directives.
*) Feature: the "proxy_set_header" directive. The "proxy_x_var" was
canceled and must be replaced with the proxy_set_header directive.
*) Change: the "proxy_preserve_host" is canceled and must be replaced
with the "proxy_set_header Host $host" and the "proxy_redirect off"
directives, the "proxy_set_header Host $host:$proxy_port" directive
and the appropriate proxy_redirect directives.
*) Change: the "proxy_set_x_real_ip" is canceled and must be replaced
with the "proxy_set_header X-Real-IP $remote_addr" directive.
*) Change: the "proxy_add_x_forwarded_for" is canceled and must be
replaced with
the "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for"
directive.
*) Change: the "proxy_set_x_url" is canceled and must be replaced with
the "proxy_set_header X-URL http://$host:$server_port$request_uri"
directive.
*) Feature: the "fastcgi_param" directive.
*) Change: the "fastcgi_root", "fastcgi_set_var" and "fastcgi_params"
directive are canceled and must be replaced with the fastcgi_param
directives.
*) Feature: the "index" directive can use the variables.
*) Feature: the "index" directive can be used at http and server levels.
*) Change: the last index only in the "index" directive can be absolute.
*) Feature: the "rewrite" directive can use the variables.
*) Feature: the "internal" directive.
*) Feature: the CONTENT_LENGTH, CONTENT_TYPE, REMOTE_PORT, SERVER_ADDR,
SERVER_PORT, SERVER_PROTOCOL, DOCUMENT_ROOT, SERVER_NAME,
REQUEST_METHOD, REQUEST_URI, and REMOTE_USER variables.
*) Change: nginx now passes the invalid lines in a client request
headers or a backend response header.
*) Bugfix: if the backend did not transfer response for a long time and
the "send_timeout" was less than "proxy_read_timeout", then nginx
returned the 408 response.
*) Bugfix: the segmentation fault was occurred if the backend sent an
invalid line in response header; the bug had appeared in 0.1.26.
*) Bugfix: the segmentation fault may occurred in FastCGI fault
tolerance configuration.
*) Bugfix: the "expires" directive did not remove the previous
"Expires" and "Cache-Control" headers.
*) Bugfix: nginx did not take into account trailing dot in "Host"
header line.
*) Bugfix: the ngx_http_auth_module did not work under Linux.
*) Bugfix: the rewrite directive worked incorrectly, if the arguments
were in a request.
*) Bugfix: nginx could not be built on MacOS X.
2005-05-12 10:58:06 -04:00
|
|
|
NGX_MODULE_V1,
|
2004-07-16 13:11:43 -04:00
|
|
|
&ngx_http_ssl_module_ctx, /* module context */
|
|
|
|
ngx_http_ssl_commands, /* module directives */
|
2004-07-08 11:17:47 -04:00
|
|
|
NGX_HTTP_MODULE, /* module type */
|
2005-09-08 10:36:09 -04:00
|
|
|
NULL, /* init master */
|
2004-07-15 12:35:51 -04:00
|
|
|
NULL, /* init module */
|
2005-09-08 10:36:09 -04:00
|
|
|
NULL, /* init process */
|
|
|
|
NULL, /* init thread */
|
|
|
|
NULL, /* exit thread */
|
|
|
|
NULL, /* exit process */
|
|
|
|
NULL, /* exit master */
|
|
|
|
NGX_MODULE_V1_PADDING
|
2004-07-08 11:17:47 -04:00
|
|
|
};
|
|
|
|
|
|
|
|
|
2006-02-08 12:33:12 -03:00
|
|
|
static ngx_http_variable_t ngx_http_ssl_vars[] = {
|
|
|
|
|
2006-08-09 15:59:45 -04:00
|
|
|
{ ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable,
|
2007-10-14 15:56:15 -03:00
|
|
|
(uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
2006-02-08 12:33:12 -03:00
|
|
|
|
2006-08-09 15:59:45 -04:00
|
|
|
{ ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
|
2007-10-14 15:56:15 -03:00
|
|
|
(uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
2006-02-08 12:33:12 -03:00
|
|
|
|
2016-12-05 16:23:23 -03:00
|
|
|
{ ngx_string("ssl_ciphers"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_ciphers, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2021-11-01 12:09:34 -03:00
|
|
|
{ ngx_string("ssl_curve"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_curve, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2016-12-05 16:23:23 -03:00
|
|
|
{ ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2009-09-24 10:45:28 -04:00
|
|
|
{ ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2014-02-11 12:20:25 -03:00
|
|
|
{ ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2018-08-06 19:16:07 -04:00
|
|
|
{ ngx_string("ssl_early_data"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_early_data,
|
|
|
|
NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 },
|
|
|
|
|
2014-04-18 13:13:21 -03:00
|
|
|
{ ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2021-10-14 05:46:23 -03:00
|
|
|
{ ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2008-06-16 01:54:18 -04:00
|
|
|
{ ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2008-07-29 10:29:02 -04:00
|
|
|
{ ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_raw_certificate,
|
|
|
|
NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2017-08-22 09:18:10 -03:00
|
|
|
{ ngx_string("ssl_client_escaped_cert"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_escaped_certificate,
|
|
|
|
NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2006-08-09 15:59:45 -04:00
|
|
|
{ ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
|
2007-10-14 15:56:15 -03:00
|
|
|
(uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
2006-05-06 12:28:56 -04:00
|
|
|
|
2006-08-09 15:59:45 -04:00
|
|
|
{ ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
|
2007-10-14 15:56:15 -03:00
|
|
|
(uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
2006-08-09 15:59:45 -04:00
|
|
|
|
2016-10-21 10:28:39 -03:00
|
|
|
{ ngx_string("ssl_client_s_dn_legacy"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_subject_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
|
|
|
{ ngx_string("ssl_client_i_dn_legacy"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_issuer_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2006-08-09 15:59:45 -04:00
|
|
|
{ ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
|
2007-10-14 15:56:15 -03:00
|
|
|
(uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
2006-05-06 12:28:56 -04:00
|
|
|
|
2014-05-20 06:03:03 -04:00
|
|
|
{ ngx_string("ssl_client_fingerprint"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_fingerprint, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2009-07-22 13:41:42 -04:00
|
|
|
{ ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2016-12-05 16:23:23 -03:00
|
|
|
{ ngx_string("ssl_client_v_start"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_client_v_start, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
|
|
|
{ ngx_string("ssl_client_v_end"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_client_v_end, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
|
|
|
{ ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
|
|
|
|
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
|
|
|
2017-08-01 07:28:33 -04:00
|
|
|
ngx_http_null_variable
|
2006-02-08 12:33:12 -03:00
|
|
|
};
|
|
|
|
|
|
|
|
|
2007-01-03 12:25:40 -03:00
|
|
|
static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
|
2007-01-02 20:55:05 -03:00
|
|
|
|
|
|
|
|
2014-01-28 20:33:49 -03:00
|
|
|
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
2013-03-07 15:21:28 -03:00
|
|
|
|
2014-01-28 20:33:49 -03:00
|
|
|
static int
|
|
|
|
ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
|
|
|
|
unsigned char *outlen, const unsigned char *in, unsigned int inlen,
|
|
|
|
void *arg)
|
|
|
|
{
|
2021-12-04 04:52:55 -03:00
|
|
|
unsigned int srvlen;
|
|
|
|
unsigned char *srv;
|
2014-01-28 20:33:49 -03:00
|
|
|
#if (NGX_DEBUG)
|
2021-12-04 04:52:55 -03:00
|
|
|
unsigned int i;
|
2014-01-28 20:33:49 -03:00
|
|
|
#endif
|
2021-12-06 07:02:36 -03:00
|
|
|
#if (NGX_HTTP_V2 || NGX_HTTP_V3)
|
2021-12-04 04:52:55 -03:00
|
|
|
ngx_http_connection_t *hc;
|
|
|
|
#endif
|
2023-02-27 07:00:56 -03:00
|
|
|
#if (NGX_HTTP_V3)
|
2021-12-04 04:52:55 -03:00
|
|
|
ngx_http_v3_srv_conf_t *h3scf;
|
2014-01-28 20:33:49 -03:00
|
|
|
#endif
|
2021-12-06 07:02:36 -03:00
|
|
|
#if (NGX_HTTP_V2 || NGX_HTTP_V3 || NGX_DEBUG)
|
2021-12-04 04:52:55 -03:00
|
|
|
ngx_connection_t *c;
|
2014-01-28 20:33:49 -03:00
|
|
|
|
|
|
|
c = ngx_ssl_get_connection(ssl_conn);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if (NGX_DEBUG)
|
|
|
|
for (i = 0; i < inlen; i += in[i] + 1) {
|
2016-03-30 05:52:16 -03:00
|
|
|
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
2016-03-30 20:33:53 -03:00
|
|
|
"SSL ALPN supported by client: %*s",
|
|
|
|
(size_t) in[i], &in[i + 1]);
|
2014-01-28 20:33:49 -03:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2021-12-06 07:02:36 -03:00
|
|
|
#if (NGX_HTTP_V2 || NGX_HTTP_V3)
|
2014-01-28 20:33:49 -03:00
|
|
|
hc = c->data;
|
2020-03-23 13:26:24 -03:00
|
|
|
#endif
|
2014-01-28 20:33:49 -03:00
|
|
|
|
2020-03-23 13:26:24 -03:00
|
|
|
#if (NGX_HTTP_V2)
|
2015-09-11 14:13:06 -03:00
|
|
|
if (hc->addr_conf->http2) {
|
2021-10-20 03:50:02 -03:00
|
|
|
srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS;
|
|
|
|
srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1;
|
2014-01-28 20:33:49 -03:00
|
|
|
} else
|
2020-03-23 13:26:24 -03:00
|
|
|
#endif
|
2020-11-09 18:32:56 -03:00
|
|
|
#if (NGX_HTTP_V3)
|
2023-02-27 07:00:56 -03:00
|
|
|
if (hc->addr_conf->quic) {
|
2021-12-04 04:52:55 -03:00
|
|
|
|
|
|
|
h3scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v3_module);
|
|
|
|
|
2023-02-27 07:00:56 -03:00
|
|
|
if (h3scf->enable && h3scf->enable_hq) {
|
|
|
|
srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO
|
|
|
|
NGX_HTTP_V3_HQ_ALPN_PROTO;
|
|
|
|
srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO NGX_HTTP_V3_HQ_ALPN_PROTO)
|
|
|
|
- 1;
|
|
|
|
|
|
|
|
} else if (h3scf->enable_hq) {
|
2021-12-04 04:52:55 -03:00
|
|
|
srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO;
|
|
|
|
srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1;
|
2023-02-27 07:00:56 -03:00
|
|
|
|
|
|
|
} else if (h3scf->enable || hc->addr_conf->http3) {
|
2021-12-02 07:59:09 -03:00
|
|
|
srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO;
|
|
|
|
srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1;
|
2023-02-27 07:00:56 -03:00
|
|
|
|
|
|
|
} else {
|
|
|
|
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
2020-11-09 18:32:56 -03:00
|
|
|
}
|
|
|
|
|
2020-07-21 16:09:22 -04:00
|
|
|
} else
|
2014-01-28 20:33:49 -03:00
|
|
|
#endif
|
|
|
|
{
|
2021-10-20 03:50:02 -03:00
|
|
|
srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS;
|
|
|
|
srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1;
|
2014-01-28 20:33:49 -03:00
|
|
|
}
|
|
|
|
|
|
|
|
if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
|
|
|
|
in, inlen)
|
|
|
|
!= OPENSSL_NPN_NEGOTIATED)
|
|
|
|
{
|
2021-10-20 03:50:02 -03:00
|
|
|
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
2014-01-28 20:33:49 -03:00
|
|
|
}
|
|
|
|
|
|
|
|
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
2016-03-30 20:33:53 -03:00
|
|
|
"SSL ALPN selected: %*s", (size_t) *outlen, *out);
|
2014-01-28 20:33:49 -03:00
|
|
|
|
|
|
|
return SSL_TLSEXT_ERR_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
2006-02-08 12:33:12 -03:00
|
|
|
static ngx_int_t
|
2006-08-09 15:59:45 -04:00
|
|
|
ngx_http_ssl_static_variable(ngx_http_request_t *r,
|
2006-02-08 12:33:12 -03:00
|
|
|
ngx_http_variable_value_t *v, uintptr_t data)
|
|
|
|
{
|
2006-08-09 15:59:45 -04:00
|
|
|
ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
|
2006-02-08 12:33:12 -03:00
|
|
|
|
2007-07-17 05:23:23 -04:00
|
|
|
size_t len;
|
|
|
|
ngx_str_t s;
|
2006-02-08 12:33:12 -03:00
|
|
|
|
|
|
|
if (r->connection->ssl) {
|
|
|
|
|
2007-07-17 05:23:23 -04:00
|
|
|
(void) handler(r->connection, NULL, &s);
|
|
|
|
|
|
|
|
v->data = s.data;
|
2006-02-08 12:33:12 -03:00
|
|
|
|
2006-08-09 15:59:45 -04:00
|
|
|
for (len = 0; v->data[len]; len++) { /* void */ }
|
2006-02-08 12:33:12 -03:00
|
|
|
|
|
|
|
v->len = len;
|
|
|
|
v->valid = 1;
|
2007-10-14 15:56:15 -03:00
|
|
|
v->no_cacheable = 0;
|
2006-02-08 12:33:12 -03:00
|
|
|
v->not_found = 0;
|
|
|
|
|
|
|
|
return NGX_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
v->not_found = 1;
|
|
|
|
|
|
|
|
return NGX_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2006-05-06 12:28:56 -04:00
|
|
|
static ngx_int_t
|
2006-08-09 15:59:45 -04:00
|
|
|
ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v,
|
2006-05-06 12:28:56 -04:00
|
|
|
uintptr_t data)
|
|
|
|
{
|
2006-08-09 15:59:45 -04:00
|
|
|
ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
|
2006-05-06 12:28:56 -04:00
|
|
|
|
2007-07-17 05:23:23 -04:00
|
|
|
ngx_str_t s;
|
|
|
|
|
2006-05-06 12:28:56 -04:00
|
|
|
if (r->connection->ssl) {
|
2007-07-17 05:23:23 -04:00
|
|
|
|
|
|
|
if (handler(r->connection, r->pool, &s) != NGX_OK) {
|
2006-05-06 12:28:56 -04:00
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
|
2007-07-17 05:23:23 -04:00
|
|
|
v->len = s.len;
|
|
|
|
v->data = s.data;
|
|
|
|
|
2006-05-06 12:28:56 -04:00
|
|
|
if (v->len) {
|
|
|
|
v->valid = 1;
|
2007-10-14 15:56:15 -03:00
|
|
|
v->no_cacheable = 0;
|
2006-05-06 12:28:56 -04:00
|
|
|
v->not_found = 0;
|
|
|
|
|
|
|
|
return NGX_OK;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
v->not_found = 1;
|
|
|
|
|
|
|
|
return NGX_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2006-02-08 12:33:12 -03:00
|
|
|
static ngx_int_t
|
|
|
|
ngx_http_ssl_add_variables(ngx_conf_t *cf)
|
|
|
|
{
|
|
|
|
ngx_http_variable_t *var, *v;
|
|
|
|
|
|
|
|
for (v = ngx_http_ssl_vars; v->name.len; v++) {
|
|
|
|
var = ngx_http_add_variable(cf, &v->name, v->flags);
|
|
|
|
if (var == NULL) {
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
|
2006-04-19 11:30:56 -04:00
|
|
|
var->get_handler = v->get_handler;
|
2006-02-08 12:33:12 -03:00
|
|
|
var->data = v->data;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NGX_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2005-03-19 08:38:37 -04:00
|
|
|
static void *
|
|
|
|
ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
|
2004-07-08 11:17:47 -04:00
|
|
|
{
|
2007-01-02 20:50:10 -03:00
|
|
|
ngx_http_ssl_srv_conf_t *sscf;
|
2004-07-08 11:17:47 -04:00
|
|
|
|
2007-01-02 20:50:10 -03:00
|
|
|
sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t));
|
|
|
|
if (sscf == NULL) {
|
2009-06-02 12:09:44 -04:00
|
|
|
return NULL;
|
2004-07-08 11:17:47 -04:00
|
|
|
}
|
|
|
|
|
nginx-0.1.14-RELEASE import
*) Feature: the autoconfiguration directives:
--http-client-body-temp-path=PATH, --http-proxy-temp-path=PATH, and
--http-fastcgi-temp-path=PATH
*) Change: the directory name for the temporary files with the client
request body is specified by directive client_body_temp_path, by
default it is <prefix>/client_body_temp.
*) Feature: the ngx_http_fastcgi_module and the directives:
fastcgi_pass, fastcgi_root, fastcgi_index, fastcgi_params,
fastcgi_connect_timeout, fastcgi_send_timeout, fastcgi_read_timeout,
fastcgi_send_lowat, fastcgi_header_buffer_size, fastcgi_buffers,
fastcgi_busy_buffers_size, fastcgi_temp_path,
fastcgi_max_temp_file_size, fastcgi_temp_file_write_size,
fastcgi_next_upstream, and fastcgi_x_powered_by.
*) Bugfix: the "[alert] zero size buf" error; the bug had appeared in
0.1.3.
*) Change: the URI must be specified after the host name in the
proxy_pass directive.
*) Change: the %3F symbol in the URI was considered as the argument
string start.
*) Feature: the unix domain sockets support in the
ngx_http_proxy_module.
*) Feature: the ssl_engine and ssl_ciphers directives.
Thanks to Sergey Skvortsov for SSL-accelerator.
2005-01-18 10:03:58 -03:00
|
|
|
/*
|
|
|
|
* set by ngx_pcalloc():
|
|
|
|
*
|
2007-01-02 20:50:10 -03:00
|
|
|
* sscf->protocols = 0;
|
2019-02-25 10:42:05 -03:00
|
|
|
* sscf->certificate_values = NULL;
|
2008-06-16 01:51:32 -04:00
|
|
|
* sscf->dhparam = { 0, NULL };
|
2011-07-20 11:42:40 -04:00
|
|
|
* sscf->ecdh_curve = { 0, NULL };
|
2008-06-16 01:51:32 -04:00
|
|
|
* sscf->client_certificate = { 0, NULL };
|
2012-10-01 09:39:36 -03:00
|
|
|
* sscf->trusted_certificate = { 0, NULL };
|
2009-07-23 08:21:26 -04:00
|
|
|
* sscf->crl = { 0, NULL };
|
2010-05-14 05:56:37 -04:00
|
|
|
* sscf->ciphers = { 0, NULL };
|
2007-01-02 20:55:05 -03:00
|
|
|
* sscf->shm_zone = NULL;
|
2020-05-22 10:30:12 -04:00
|
|
|
* sscf->ocsp_responder = { 0, NULL };
|
2012-10-01 09:41:08 -03:00
|
|
|
* sscf->stapling_file = { 0, NULL };
|
2012-10-01 09:47:55 -03:00
|
|
|
* sscf->stapling_responder = { 0, NULL };
|
nginx-0.1.14-RELEASE import
*) Feature: the autoconfiguration directives:
--http-client-body-temp-path=PATH, --http-proxy-temp-path=PATH, and
--http-fastcgi-temp-path=PATH
*) Change: the directory name for the temporary files with the client
request body is specified by directive client_body_temp_path, by
default it is <prefix>/client_body_temp.
*) Feature: the ngx_http_fastcgi_module and the directives:
fastcgi_pass, fastcgi_root, fastcgi_index, fastcgi_params,
fastcgi_connect_timeout, fastcgi_send_timeout, fastcgi_read_timeout,
fastcgi_send_lowat, fastcgi_header_buffer_size, fastcgi_buffers,
fastcgi_busy_buffers_size, fastcgi_temp_path,
fastcgi_max_temp_file_size, fastcgi_temp_file_write_size,
fastcgi_next_upstream, and fastcgi_x_powered_by.
*) Bugfix: the "[alert] zero size buf" error; the bug had appeared in
0.1.3.
*) Change: the URI must be specified after the host name in the
proxy_pass directive.
*) Change: the %3F symbol in the URI was considered as the argument
string start.
*) Feature: the unix domain sockets support in the
ngx_http_proxy_module.
*) Feature: the ssl_engine and ssl_ciphers directives.
Thanks to Sergey Skvortsov for SSL-accelerator.
2005-01-18 10:03:58 -03:00
|
|
|
*/
|
|
|
|
|
2007-01-02 20:50:10 -03:00
|
|
|
sscf->enable = NGX_CONF_UNSET;
|
2008-07-29 10:29:02 -04:00
|
|
|
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
|
2018-08-06 19:16:07 -04:00
|
|
|
sscf->early_data = NGX_CONF_UNSET;
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
sscf->reject_handshake = NGX_CONF_UNSET;
|
2013-12-20 09:18:25 -03:00
|
|
|
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
|
2009-04-15 15:28:10 -04:00
|
|
|
sscf->verify = NGX_CONF_UNSET_UINT;
|
|
|
|
sscf->verify_depth = NGX_CONF_UNSET_UINT;
|
2016-05-19 07:46:32 -04:00
|
|
|
sscf->certificates = NGX_CONF_UNSET_PTR;
|
|
|
|
sscf->certificate_keys = NGX_CONF_UNSET_PTR;
|
2014-06-16 11:43:25 -04:00
|
|
|
sscf->passwords = NGX_CONF_UNSET_PTR;
|
2020-10-22 12:00:22 -03:00
|
|
|
sscf->conf_commands = NGX_CONF_UNSET_PTR;
|
2007-01-02 20:55:05 -03:00
|
|
|
sscf->builtin_session_cache = NGX_CONF_UNSET;
|
|
|
|
sscf->session_timeout = NGX_CONF_UNSET;
|
2014-01-10 12:12:40 -03:00
|
|
|
sscf->session_tickets = NGX_CONF_UNSET;
|
2013-10-11 20:05:24 -03:00
|
|
|
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
|
2020-05-22 10:30:12 -04:00
|
|
|
sscf->ocsp = NGX_CONF_UNSET_UINT;
|
2020-05-22 10:25:27 -04:00
|
|
|
sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
|
2012-10-01 09:41:08 -03:00
|
|
|
sscf->stapling = NGX_CONF_UNSET;
|
2012-10-01 09:53:11 -03:00
|
|
|
sscf->stapling_verify = NGX_CONF_UNSET;
|
2004-07-08 11:17:47 -04:00
|
|
|
|
2007-01-02 20:50:10 -03:00
|
|
|
return sscf;
|
2004-07-08 11:17:47 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2005-03-19 08:38:37 -04:00
|
|
|
static char *
|
|
|
|
ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
2004-07-08 11:17:47 -04:00
|
|
|
{
|
|
|
|
ngx_http_ssl_srv_conf_t *prev = parent;
|
|
|
|
ngx_http_ssl_srv_conf_t *conf = child;
|
|
|
|
|
2005-10-19 09:33:58 -03:00
|
|
|
ngx_pool_cleanup_t *cln;
|
|
|
|
|
2011-10-31 06:57:14 -03:00
|
|
|
if (conf->enable == NGX_CONF_UNSET) {
|
|
|
|
if (prev->enable == NGX_CONF_UNSET) {
|
|
|
|
conf->enable = 0;
|
|
|
|
|
|
|
|
} else {
|
|
|
|
conf->enable = prev->enable;
|
|
|
|
conf->file = prev->file;
|
|
|
|
conf->line = prev->line;
|
|
|
|
}
|
|
|
|
}
|
2004-07-08 11:17:47 -04:00
|
|
|
|
nginx-0.3.8-RELEASE import
*) Security: nginx now checks URI got from a backend in
"X-Accel-Redirect" header line or in SSI file for the "/../" paths
and zeroes.
*) Change: nginx now does not treat the empty user name in the
"Authorization" header line as valid one.
*) Feature: the "ssl_session_timeout" directives of the
ngx_http_ssl_module and ngx_imap_ssl_module.
*) Feature: the "auth_http_header" directive of the
ngx_imap_auth_http_module.
*) Feature: the "add_header" directive.
*) Feature: the ngx_http_realip_module.
*) Feature: the new variables to use in the "log_format" directive:
$bytes_sent, $apache_bytes_sent, $status, $time_gmt, $uri,
$request_time, $request_length, $upstream_status,
$upstream_response_time, $gzip_ratio, $uid_got, $uid_set,
$connection, $pipe, and $msec. The parameters in the "%name" form
will be canceled soon.
*) Change: now the false variable values in the "if" directive are the
empty string "" and string starting with "0".
*) Bugfix: while using proxied or FastCGI-server nginx may leave
connections and temporary files with client requests in open state.
*) Bugfix: the worker processes did not flush the buffered logs on
graceful exit.
*) Bugfix: if the request URI was changes by the "rewrite" directive
and the request was proxied in location given by regular expression,
then the incorrect request was transferred to backend; the bug had
appeared in 0.2.6.
*) Bugfix: the "expires" directive did not remove the previous
"Expires" header.
*) Bugfix: nginx may stop to accept requests if the "rtsig" method and
several worker processes were used.
*) Bugfix: the "\"" and "\'" escape symbols were incorrectly handled in
SSI commands.
*) Bugfix: if the response was ended just after the SSI command and
gzipping was used, then the response did not transferred complete or
did not transferred at all.
2005-11-09 14:25:55 -03:00
|
|
|
ngx_conf_merge_value(conf->session_timeout,
|
|
|
|
prev->session_timeout, 300);
|
|
|
|
|
2005-09-30 10:41:25 -04:00
|
|
|
ngx_conf_merge_value(conf->prefer_server_ciphers,
|
|
|
|
prev->prefer_server_ciphers, 0);
|
|
|
|
|
2018-08-06 19:16:07 -04:00
|
|
|
ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
|
2018-08-06 19:16:07 -04:00
|
|
|
|
2005-09-30 10:41:25 -04:00
|
|
|
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
2015-05-25 11:58:20 -03:00
|
|
|
(NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|
2012-01-11 08:15:00 -03:00
|
|
|
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
|
2005-09-30 10:41:25 -04:00
|
|
|
|
2013-12-20 09:18:25 -03:00
|
|
|
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
|
|
|
|
NGX_SSL_BUFSIZE);
|
|
|
|
|
2008-07-29 10:29:02 -04:00
|
|
|
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
|
|
|
|
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
|
2006-05-06 12:28:56 -04:00
|
|
|
|
2016-05-19 07:46:32 -04:00
|
|
|
ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
|
|
|
|
ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
|
|
|
|
NULL);
|
nginx-0.1.14-RELEASE import
*) Feature: the autoconfiguration directives:
--http-client-body-temp-path=PATH, --http-proxy-temp-path=PATH, and
--http-fastcgi-temp-path=PATH
*) Change: the directory name for the temporary files with the client
request body is specified by directive client_body_temp_path, by
default it is <prefix>/client_body_temp.
*) Feature: the ngx_http_fastcgi_module and the directives:
fastcgi_pass, fastcgi_root, fastcgi_index, fastcgi_params,
fastcgi_connect_timeout, fastcgi_send_timeout, fastcgi_read_timeout,
fastcgi_send_lowat, fastcgi_header_buffer_size, fastcgi_buffers,
fastcgi_busy_buffers_size, fastcgi_temp_path,
fastcgi_max_temp_file_size, fastcgi_temp_file_write_size,
fastcgi_next_upstream, and fastcgi_x_powered_by.
*) Bugfix: the "[alert] zero size buf" error; the bug had appeared in
0.1.3.
*) Change: the URI must be specified after the host name in the
proxy_pass directive.
*) Change: the %3F symbol in the URI was considered as the argument
string start.
*) Feature: the unix domain sockets support in the
ngx_http_proxy_module.
*) Feature: the ssl_engine and ssl_ciphers directives.
Thanks to Sergey Skvortsov for SSL-accelerator.
2005-01-18 10:03:58 -03:00
|
|
|
|
2014-06-16 11:43:25 -04:00
|
|
|
ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
|
|
|
|
|
2008-06-16 01:51:32 -04:00
|
|
|
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
|
|
|
|
|
2006-05-06 12:28:56 -04:00
|
|
|
ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
|
|
|
|
"");
|
2012-10-01 09:39:36 -03:00
|
|
|
ngx_conf_merge_str_value(conf->trusted_certificate,
|
|
|
|
prev->trusted_certificate, "");
|
2009-07-23 08:21:26 -04:00
|
|
|
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
|
2006-05-06 12:28:56 -04:00
|
|
|
|
2011-07-20 11:42:40 -04:00
|
|
|
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
|
|
|
|
NGX_DEFAULT_ECDH_CURVE);
|
|
|
|
|
2008-07-29 10:31:03 -04:00
|
|
|
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
|
nginx-0.1.14-RELEASE import
*) Feature: the autoconfiguration directives:
--http-client-body-temp-path=PATH, --http-proxy-temp-path=PATH, and
--http-fastcgi-temp-path=PATH
*) Change: the directory name for the temporary files with the client
request body is specified by directive client_body_temp_path, by
default it is <prefix>/client_body_temp.
*) Feature: the ngx_http_fastcgi_module and the directives:
fastcgi_pass, fastcgi_root, fastcgi_index, fastcgi_params,
fastcgi_connect_timeout, fastcgi_send_timeout, fastcgi_read_timeout,
fastcgi_send_lowat, fastcgi_header_buffer_size, fastcgi_buffers,
fastcgi_busy_buffers_size, fastcgi_temp_path,
fastcgi_max_temp_file_size, fastcgi_temp_file_write_size,
fastcgi_next_upstream, and fastcgi_x_powered_by.
*) Bugfix: the "[alert] zero size buf" error; the bug had appeared in
0.1.3.
*) Change: the URI must be specified after the host name in the
proxy_pass directive.
*) Change: the %3F symbol in the URI was considered as the argument
string start.
*) Feature: the unix domain sockets support in the
ngx_http_proxy_module.
*) Feature: the ssl_engine and ssl_ciphers directives.
Thanks to Sergey Skvortsov for SSL-accelerator.
2005-01-18 10:03:58 -03:00
|
|
|
|
2020-10-22 12:00:22 -03:00
|
|
|
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
|
|
|
|
|
2020-05-22 10:30:12 -04:00
|
|
|
ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0);
|
|
|
|
ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, "");
|
2020-05-22 10:25:27 -04:00
|
|
|
ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
|
|
|
|
prev->ocsp_cache_zone, NULL);
|
2020-05-22 10:30:12 -04:00
|
|
|
|
2012-10-01 09:41:08 -03:00
|
|
|
ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
|
2012-10-01 09:53:11 -03:00
|
|
|
ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
|
2012-10-01 09:41:08 -03:00
|
|
|
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
|
2012-10-01 09:47:55 -03:00
|
|
|
ngx_conf_merge_str_value(conf->stapling_responder,
|
|
|
|
prev->stapling_responder, "");
|
2004-07-11 17:03:47 -04:00
|
|
|
|
2005-09-30 10:41:25 -04:00
|
|
|
conf->ssl.log = cf->log;
|
2004-07-11 17:03:47 -04:00
|
|
|
|
2008-09-01 10:19:01 -04:00
|
|
|
if (conf->enable) {
|
|
|
|
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
if (conf->certificates) {
|
|
|
|
if (conf->certificate_keys == NULL) {
|
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
|
|
"no \"ssl_certificate_key\" is defined for "
|
|
|
|
"the \"ssl\" directive in %s:%ui",
|
|
|
|
conf->file, conf->line);
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
2008-09-01 10:19:01 -04:00
|
|
|
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
if (conf->certificate_keys->nelts < conf->certificates->nelts) {
|
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
|
|
"no \"ssl_certificate_key\" is defined "
|
|
|
|
"for certificate \"%V\" and "
|
|
|
|
"the \"ssl\" directive in %s:%ui",
|
|
|
|
((ngx_str_t *) conf->certificates->elts)
|
|
|
|
+ conf->certificates->nelts - 1,
|
|
|
|
conf->file, conf->line);
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
2008-09-01 10:19:01 -04:00
|
|
|
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
} else if (!conf->reject_handshake) {
|
2016-05-19 07:46:32 -04:00
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
"no \"ssl_certificate\" is defined for "
|
2016-05-19 07:46:32 -04:00
|
|
|
"the \"ssl\" directive in %s:%ui",
|
|
|
|
conf->file, conf->line);
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
} else if (conf->certificates) {
|
2008-09-01 10:19:01 -04:00
|
|
|
|
2016-05-19 07:46:32 -04:00
|
|
|
if (conf->certificate_keys == NULL
|
|
|
|
|| conf->certificate_keys->nelts < conf->certificates->nelts)
|
|
|
|
{
|
2008-09-01 10:19:01 -04:00
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
|
|
"no \"ssl_certificate_key\" is defined "
|
2016-05-19 07:46:32 -04:00
|
|
|
"for certificate \"%V\"",
|
|
|
|
((ngx_str_t *) conf->certificates->elts)
|
|
|
|
+ conf->certificates->nelts - 1);
|
2008-09-01 10:19:01 -04:00
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
|
|
|
|
} else if (!conf->reject_handshake) {
|
|
|
|
return NGX_CONF_OK;
|
2008-09-01 10:19:01 -04:00
|
|
|
}
|
|
|
|
|
2007-01-02 20:37:25 -03:00
|
|
|
if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
|
2004-07-11 17:03:47 -04:00
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2019-03-03 10:48:39 -03:00
|
|
|
cln = ngx_pool_cleanup_add(cf->pool, 0);
|
|
|
|
if (cln == NULL) {
|
|
|
|
ngx_ssl_cleanup_ctx(&conf->ssl);
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
cln->handler = ngx_ssl_cleanup_ctx;
|
|
|
|
cln->data = &conf->ssl;
|
|
|
|
|
2007-05-29 11:21:09 -04:00
|
|
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
|
|
|
|
|
|
|
if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
|
|
|
|
ngx_http_ssl_servername)
|
|
|
|
== 0)
|
|
|
|
{
|
2009-09-18 05:10:16 -04:00
|
|
|
ngx_log_error(NGX_LOG_WARN, cf->log, 0,
|
2009-10-19 09:33:09 -03:00
|
|
|
"nginx was built with SNI support, however, now it is linked "
|
2009-09-18 05:10:16 -04:00
|
|
|
"dynamically to an OpenSSL library which has no tlsext support, "
|
|
|
|
"therefore SNI is not available");
|
2007-05-29 11:21:09 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
2014-01-28 20:33:49 -03:00
|
|
|
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
|
|
|
SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
|
|
|
|
#endif
|
|
|
|
|
2021-08-16 15:40:31 -04:00
|
|
|
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
|
|
|
|
conf->prefer_server_ciphers)
|
|
|
|
!= NGX_OK)
|
|
|
|
{
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2019-02-25 10:42:05 -03:00
|
|
|
if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
|
2004-07-11 17:03:47 -04:00
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2019-02-25 10:42:05 -03:00
|
|
|
if (conf->certificate_values) {
|
|
|
|
|
|
|
|
#ifdef SSL_R_CERT_CB_ERROR
|
|
|
|
|
|
|
|
/* install callback to lookup certificates */
|
|
|
|
|
2019-02-25 15:16:26 -03:00
|
|
|
SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, conf);
|
2019-02-25 10:42:05 -03:00
|
|
|
|
|
|
|
#else
|
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
|
|
"variables in "
|
|
|
|
"\"ssl_certificate\" and \"ssl_certificate_key\" "
|
|
|
|
"directives are not supported on this platform");
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
#endif
|
|
|
|
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
} else if (conf->certificates) {
|
2019-02-25 10:42:05 -03:00
|
|
|
|
|
|
|
/* configure certificates */
|
|
|
|
|
|
|
|
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
|
|
|
conf->certificate_keys, conf->passwords)
|
|
|
|
!= NGX_OK)
|
|
|
|
{
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-12-20 09:18:25 -03:00
|
|
|
conf->ssl.buffer_size = conf->buffer_size;
|
|
|
|
|
2006-05-06 12:28:56 -04:00
|
|
|
if (conf->verify) {
|
2008-07-29 10:29:02 -04:00
|
|
|
|
2012-10-03 12:24:08 -03:00
|
|
|
if (conf->client_certificate.len == 0 && conf->verify != 3) {
|
2008-07-29 10:29:02 -04:00
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
2019-09-16 13:26:42 -03:00
|
|
|
"no ssl_client_certificate for ssl_verify_client");
|
2008-07-29 10:29:02 -04:00
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2006-08-09 15:59:45 -04:00
|
|
|
if (ngx_ssl_client_certificate(cf, &conf->ssl,
|
2007-01-02 20:41:54 -03:00
|
|
|
&conf->client_certificate,
|
|
|
|
conf->verify_depth)
|
2006-08-09 15:59:45 -04:00
|
|
|
!= NGX_OK)
|
|
|
|
{
|
|
|
|
return NGX_CONF_ERROR;
|
2006-05-06 12:28:56 -04:00
|
|
|
}
|
2012-10-01 09:39:36 -03:00
|
|
|
}
|
2009-07-23 08:21:26 -04:00
|
|
|
|
2012-10-01 09:39:36 -03:00
|
|
|
if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
|
|
|
|
&conf->trusted_certificate,
|
|
|
|
conf->verify_depth)
|
|
|
|
!= NGX_OK)
|
|
|
|
{
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
|
|
|
|
return NGX_CONF_ERROR;
|
2006-05-06 12:28:56 -04:00
|
|
|
}
|
|
|
|
|
2020-05-22 10:30:12 -04:00
|
|
|
if (conf->ocsp) {
|
|
|
|
|
|
|
|
if (conf->verify == 3) {
|
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
|
|
"\"ssl_ocsp\" is incompatible with "
|
|
|
|
"\"ssl_verify_client optional_no_ca\"");
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2020-05-22 10:25:27 -04:00
|
|
|
if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp,
|
|
|
|
conf->ocsp_cache_zone)
|
2020-05-22 10:30:12 -04:00
|
|
|
!= NGX_OK)
|
|
|
|
{
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-06-16 01:51:32 -04:00
|
|
|
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2011-07-20 11:42:40 -04:00
|
|
|
if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2007-01-02 20:55:05 -03:00
|
|
|
ngx_conf_merge_value(conf->builtin_session_cache,
|
2008-05-26 03:14:13 -04:00
|
|
|
prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
|
2007-01-02 20:55:05 -03:00
|
|
|
|
|
|
|
if (conf->shm_zone == NULL) {
|
|
|
|
conf->shm_zone = prev->shm_zone;
|
|
|
|
}
|
|
|
|
|
2007-01-03 12:25:40 -03:00
|
|
|
if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
|
2019-02-25 10:42:54 -03:00
|
|
|
conf->certificates, conf->builtin_session_cache,
|
2007-01-03 12:25:40 -03:00
|
|
|
conf->shm_zone, conf->session_timeout)
|
|
|
|
!= NGX_OK)
|
2007-01-02 20:55:05 -03:00
|
|
|
{
|
2007-01-03 12:25:40 -03:00
|
|
|
return NGX_CONF_ERROR;
|
2007-01-02 20:55:05 -03:00
|
|
|
}
|
|
|
|
|
2014-01-10 12:12:40 -03:00
|
|
|
ngx_conf_merge_value(conf->session_tickets, prev->session_tickets, 1);
|
|
|
|
|
|
|
|
#ifdef SSL_OP_NO_TICKET
|
|
|
|
if (!conf->session_tickets) {
|
|
|
|
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2013-10-11 20:05:24 -03:00
|
|
|
ngx_conf_merge_ptr_value(conf->session_ticket_keys,
|
|
|
|
prev->session_ticket_keys, NULL);
|
|
|
|
|
|
|
|
if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
|
|
|
|
!= NGX_OK)
|
|
|
|
{
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2012-10-01 09:47:55 -03:00
|
|
|
if (conf->stapling) {
|
|
|
|
|
2012-10-01 09:53:11 -03:00
|
|
|
if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
|
|
|
|
&conf->stapling_responder, conf->stapling_verify)
|
2012-10-01 09:47:55 -03:00
|
|
|
!= NGX_OK)
|
|
|
|
{
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2012-10-01 09:41:08 -03:00
|
|
|
}
|
|
|
|
|
2018-08-06 19:16:07 -04:00
|
|
|
if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2020-10-22 12:00:22 -03:00
|
|
|
if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2007-01-02 20:55:05 -03:00
|
|
|
return NGX_CONF_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2019-02-25 10:42:05 -03:00
|
|
|
static ngx_int_t
|
|
|
|
ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
|
|
|
|
ngx_http_ssl_srv_conf_t *conf)
|
|
|
|
{
|
|
|
|
ngx_str_t *cert, *key;
|
|
|
|
ngx_uint_t i, nelts;
|
|
|
|
ngx_http_complex_value_t *cv;
|
|
|
|
ngx_http_compile_complex_value_t ccv;
|
|
|
|
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
if (conf->certificates == NULL) {
|
|
|
|
return NGX_OK;
|
|
|
|
}
|
|
|
|
|
2019-02-25 10:42:05 -03:00
|
|
|
cert = conf->certificates->elts;
|
|
|
|
key = conf->certificate_keys->elts;
|
|
|
|
nelts = conf->certificates->nelts;
|
|
|
|
|
|
|
|
for (i = 0; i < nelts; i++) {
|
|
|
|
|
|
|
|
if (ngx_http_script_variables_count(&cert[i])) {
|
|
|
|
goto found;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ngx_http_script_variables_count(&key[i])) {
|
|
|
|
goto found;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return NGX_OK;
|
|
|
|
|
|
|
|
found:
|
|
|
|
|
|
|
|
conf->certificate_values = ngx_array_create(cf->pool, nelts,
|
|
|
|
sizeof(ngx_http_complex_value_t));
|
|
|
|
if (conf->certificate_values == NULL) {
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
conf->certificate_key_values = ngx_array_create(cf->pool, nelts,
|
|
|
|
sizeof(ngx_http_complex_value_t));
|
|
|
|
if (conf->certificate_key_values == NULL) {
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < nelts; i++) {
|
|
|
|
|
|
|
|
cv = ngx_array_push(conf->certificate_values);
|
|
|
|
if (cv == NULL) {
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
|
|
|
|
|
|
|
|
ccv.cf = cf;
|
|
|
|
ccv.value = &cert[i];
|
|
|
|
ccv.complex_value = cv;
|
|
|
|
ccv.zero = 1;
|
|
|
|
|
|
|
|
if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
cv = ngx_array_push(conf->certificate_key_values);
|
|
|
|
if (cv == NULL) {
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
|
|
|
|
|
|
|
|
ccv.cf = cf;
|
|
|
|
ccv.value = &key[i];
|
|
|
|
ccv.complex_value = cv;
|
|
|
|
ccv.zero = 1;
|
|
|
|
|
|
|
|
if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-02-25 10:42:23 -03:00
|
|
|
conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
|
|
|
|
if (conf->passwords == NULL) {
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
|
2019-02-25 10:42:05 -03:00
|
|
|
return NGX_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-09-01 10:19:01 -04:00
|
|
|
static char *
|
|
|
|
ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
|
|
{
|
|
|
|
ngx_http_ssl_srv_conf_t *sscf = conf;
|
|
|
|
|
|
|
|
char *rv;
|
|
|
|
|
|
|
|
rv = ngx_conf_set_flag_slot(cf, cmd, conf);
|
|
|
|
|
|
|
|
if (rv != NGX_CONF_OK) {
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
|
|
|
sscf->file = cf->conf_file->file.name.data;
|
|
|
|
sscf->line = cf->conf_file->line;
|
|
|
|
|
|
|
|
return NGX_CONF_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2014-06-16 11:43:25 -04:00
|
|
|
static char *
|
|
|
|
ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
|
|
{
|
|
|
|
ngx_http_ssl_srv_conf_t *sscf = conf;
|
|
|
|
|
|
|
|
ngx_str_t *value;
|
|
|
|
|
|
|
|
if (sscf->passwords != NGX_CONF_UNSET_PTR) {
|
|
|
|
return "is duplicate";
|
|
|
|
}
|
|
|
|
|
|
|
|
value = cf->args->elts;
|
|
|
|
|
|
|
|
sscf->passwords = ngx_ssl_read_password_file(cf, &value[1]);
|
|
|
|
|
|
|
|
if (sscf->passwords == NULL) {
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NGX_CONF_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2007-01-02 20:55:05 -03:00
|
|
|
static char *
|
|
|
|
ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
|
|
{
|
|
|
|
ngx_http_ssl_srv_conf_t *sscf = conf;
|
|
|
|
|
|
|
|
size_t len;
|
|
|
|
ngx_str_t *value, name, size;
|
|
|
|
ngx_int_t n;
|
|
|
|
ngx_uint_t i, j;
|
|
|
|
|
|
|
|
value = cf->args->elts;
|
|
|
|
|
|
|
|
for (i = 1; i < cf->args->nelts; i++) {
|
|
|
|
|
2007-12-26 17:27:22 -03:00
|
|
|
if (ngx_strcmp(value[i].data, "off") == 0) {
|
|
|
|
sscf->builtin_session_cache = NGX_SSL_NO_SCACHE;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2008-05-26 03:14:13 -04:00
|
|
|
if (ngx_strcmp(value[i].data, "none") == 0) {
|
|
|
|
sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2007-01-02 20:55:05 -03:00
|
|
|
if (ngx_strcmp(value[i].data, "builtin") == 0) {
|
2007-01-03 12:25:40 -03:00
|
|
|
sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
|
2007-01-02 20:55:05 -03:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (value[i].len > sizeof("builtin:") - 1
|
|
|
|
&& ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
|
|
|
|
== 0)
|
|
|
|
{
|
|
|
|
n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
|
|
|
|
value[i].len - (sizeof("builtin:") - 1));
|
|
|
|
|
|
|
|
if (n == NGX_ERROR) {
|
|
|
|
goto invalid;
|
|
|
|
}
|
|
|
|
|
|
|
|
sscf->builtin_session_cache = n;
|
|
|
|
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (value[i].len > sizeof("shared:") - 1
|
|
|
|
&& ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
|
|
|
|
== 0)
|
|
|
|
{
|
|
|
|
len = 0;
|
|
|
|
|
|
|
|
for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
|
|
|
|
if (value[i].data[j] == ':') {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
len++;
|
|
|
|
}
|
|
|
|
|
2022-10-17 09:24:53 -03:00
|
|
|
if (len == 0 || j == value[i].len) {
|
2007-01-02 20:55:05 -03:00
|
|
|
goto invalid;
|
|
|
|
}
|
|
|
|
|
|
|
|
name.len = len;
|
|
|
|
name.data = value[i].data + sizeof("shared:") - 1;
|
|
|
|
|
|
|
|
size.len = value[i].len - j - 1;
|
|
|
|
size.data = name.data + len + 1;
|
|
|
|
|
|
|
|
n = ngx_parse_size(&size);
|
|
|
|
|
|
|
|
if (n == NGX_ERROR) {
|
|
|
|
goto invalid;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (n < (ngx_int_t) (8 * ngx_pagesize)) {
|
|
|
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
2007-01-03 12:25:40 -03:00
|
|
|
"session cache \"%V\" is too small",
|
2007-01-02 20:55:05 -03:00
|
|
|
&value[i]);
|
|
|
|
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
sscf->shm_zone = ngx_shared_memory_add(cf, &name, n,
|
|
|
|
&ngx_http_ssl_module);
|
|
|
|
if (sscf->shm_zone == NULL) {
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
2011-09-27 09:06:07 -03:00
|
|
|
sscf->shm_zone->init = ngx_ssl_session_cache_init;
|
|
|
|
|
2007-01-02 20:55:05 -03:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
goto invalid;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) {
|
2007-01-03 12:25:40 -03:00
|
|
|
sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
|
2007-01-02 20:55:05 -03:00
|
|
|
}
|
nginx-0.3.8-RELEASE import
*) Security: nginx now checks URI got from a backend in
"X-Accel-Redirect" header line or in SSI file for the "/../" paths
and zeroes.
*) Change: nginx now does not treat the empty user name in the
"Authorization" header line as valid one.
*) Feature: the "ssl_session_timeout" directives of the
ngx_http_ssl_module and ngx_imap_ssl_module.
*) Feature: the "auth_http_header" directive of the
ngx_imap_auth_http_module.
*) Feature: the "add_header" directive.
*) Feature: the ngx_http_realip_module.
*) Feature: the new variables to use in the "log_format" directive:
$bytes_sent, $apache_bytes_sent, $status, $time_gmt, $uri,
$request_time, $request_length, $upstream_status,
$upstream_response_time, $gzip_ratio, $uid_got, $uid_set,
$connection, $pipe, and $msec. The parameters in the "%name" form
will be canceled soon.
*) Change: now the false variable values in the "if" directive are the
empty string "" and string starting with "0".
*) Bugfix: while using proxied or FastCGI-server nginx may leave
connections and temporary files with client requests in open state.
*) Bugfix: the worker processes did not flush the buffered logs on
graceful exit.
*) Bugfix: if the request URI was changes by the "rewrite" directive
and the request was proxied in location given by regular expression,
then the incorrect request was transferred to backend; the bug had
appeared in 0.2.6.
*) Bugfix: the "expires" directive did not remove the previous
"Expires" header.
*) Bugfix: nginx may stop to accept requests if the "rtsig" method and
several worker processes were used.
*) Bugfix: the "\"" and "\'" escape symbols were incorrectly handled in
SSI commands.
*) Bugfix: if the response was ended just after the SSI command and
gzipping was used, then the response did not transferred complete or
did not transferred at all.
2005-11-09 14:25:55 -03:00
|
|
|
|
2004-07-08 11:17:47 -04:00
|
|
|
return NGX_CONF_OK;
|
2007-01-02 20:55:05 -03:00
|
|
|
|
|
|
|
invalid:
|
|
|
|
|
|
|
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
|
|
|
"invalid session cache \"%V\"", &value[i]);
|
|
|
|
|
|
|
|
return NGX_CONF_ERROR;
|
2004-07-08 11:17:47 -04:00
|
|
|
}
|
2012-10-01 09:47:55 -03:00
|
|
|
|
|
|
|
|
2020-05-22 10:25:27 -04:00
|
|
|
static char *
|
|
|
|
ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
|
|
{
|
|
|
|
ngx_http_ssl_srv_conf_t *sscf = conf;
|
|
|
|
|
|
|
|
size_t len;
|
|
|
|
ngx_int_t n;
|
|
|
|
ngx_str_t *value, name, size;
|
|
|
|
ngx_uint_t j;
|
|
|
|
|
|
|
|
if (sscf->ocsp_cache_zone != NGX_CONF_UNSET_PTR) {
|
|
|
|
return "is duplicate";
|
|
|
|
}
|
|
|
|
|
|
|
|
value = cf->args->elts;
|
|
|
|
|
|
|
|
if (ngx_strcmp(value[1].data, "off") == 0) {
|
|
|
|
sscf->ocsp_cache_zone = NULL;
|
|
|
|
return NGX_CONF_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (value[1].len <= sizeof("shared:") - 1
|
|
|
|
|| ngx_strncmp(value[1].data, "shared:", sizeof("shared:") - 1) != 0)
|
|
|
|
{
|
|
|
|
goto invalid;
|
|
|
|
}
|
|
|
|
|
|
|
|
len = 0;
|
|
|
|
|
|
|
|
for (j = sizeof("shared:") - 1; j < value[1].len; j++) {
|
|
|
|
if (value[1].data[j] == ':') {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
len++;
|
|
|
|
}
|
|
|
|
|
2022-10-17 09:24:53 -03:00
|
|
|
if (len == 0 || j == value[1].len) {
|
2020-05-22 10:25:27 -04:00
|
|
|
goto invalid;
|
|
|
|
}
|
|
|
|
|
|
|
|
name.len = len;
|
|
|
|
name.data = value[1].data + sizeof("shared:") - 1;
|
|
|
|
|
|
|
|
size.len = value[1].len - j - 1;
|
|
|
|
size.data = name.data + len + 1;
|
|
|
|
|
|
|
|
n = ngx_parse_size(&size);
|
|
|
|
|
|
|
|
if (n == NGX_ERROR) {
|
|
|
|
goto invalid;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (n < (ngx_int_t) (8 * ngx_pagesize)) {
|
|
|
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
|
|
|
"OCSP cache \"%V\" is too small", &value[1]);
|
|
|
|
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
sscf->ocsp_cache_zone = ngx_shared_memory_add(cf, &name, n,
|
|
|
|
&ngx_http_ssl_module_ctx);
|
|
|
|
if (sscf->ocsp_cache_zone == NULL) {
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
sscf->ocsp_cache_zone->init = ngx_ssl_ocsp_cache_init;
|
|
|
|
|
|
|
|
return NGX_CONF_OK;
|
|
|
|
|
|
|
|
invalid:
|
|
|
|
|
|
|
|
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
|
|
|
"invalid OCSP cache \"%V\"", &value[1]);
|
|
|
|
|
|
|
|
return NGX_CONF_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-10-22 12:00:22 -03:00
|
|
|
static char *
|
|
|
|
ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
|
|
|
|
{
|
|
|
|
#ifndef SSL_CONF_FLAG_FILE
|
|
|
|
return "is not supported on this platform";
|
2021-03-05 11:16:13 -03:00
|
|
|
#else
|
2020-10-22 12:00:22 -03:00
|
|
|
return NGX_CONF_OK;
|
2021-03-05 11:16:13 -03:00
|
|
|
#endif
|
2020-10-22 12:00:22 -03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2012-10-01 09:47:55 -03:00
|
|
|
static ngx_int_t
|
|
|
|
ngx_http_ssl_init(ngx_conf_t *cf)
|
|
|
|
{
|
2018-04-24 09:29:01 -03:00
|
|
|
ngx_uint_t a, p, s;
|
2020-07-21 16:09:22 -04:00
|
|
|
const char *name;
|
2018-04-24 09:29:01 -03:00
|
|
|
ngx_http_conf_addr_t *addr;
|
|
|
|
ngx_http_conf_port_t *port;
|
2012-10-01 09:47:55 -03:00
|
|
|
ngx_http_ssl_srv_conf_t *sscf;
|
|
|
|
ngx_http_core_loc_conf_t *clcf;
|
2018-04-24 09:29:01 -03:00
|
|
|
ngx_http_core_srv_conf_t **cscfp, *cscf;
|
2012-10-01 09:47:55 -03:00
|
|
|
ngx_http_core_main_conf_t *cmcf;
|
|
|
|
|
|
|
|
cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
|
|
|
|
cscfp = cmcf->servers.elts;
|
|
|
|
|
|
|
|
for (s = 0; s < cmcf->servers.nelts; s++) {
|
|
|
|
|
|
|
|
sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
|
|
|
|
|
2020-05-22 10:30:12 -04:00
|
|
|
if (sscf->ssl.ctx == NULL) {
|
2012-10-01 09:47:55 -03:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];
|
|
|
|
|
2020-05-22 10:30:12 -04:00
|
|
|
if (sscf->stapling) {
|
|
|
|
if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
|
|
|
|
clcf->resolver_timeout)
|
|
|
|
!= NGX_OK)
|
|
|
|
{
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sscf->ocsp) {
|
|
|
|
if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, clcf->resolver,
|
2012-10-01 09:47:55 -03:00
|
|
|
clcf->resolver_timeout)
|
2020-05-22 10:30:12 -04:00
|
|
|
!= NGX_OK)
|
|
|
|
{
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
2012-10-01 09:47:55 -03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-04-24 09:29:01 -03:00
|
|
|
if (cmcf->ports == NULL) {
|
|
|
|
return NGX_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
port = cmcf->ports->elts;
|
|
|
|
for (p = 0; p < cmcf->ports->nelts; p++) {
|
|
|
|
|
|
|
|
addr = port[p].addrs.elts;
|
|
|
|
for (a = 0; a < port[p].addrs.nelts; a++) {
|
|
|
|
|
2023-02-27 07:00:56 -03:00
|
|
|
if (!addr[a].opt.ssl && !addr[a].opt.quic) {
|
2018-04-24 09:29:01 -03:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2023-02-22 12:16:53 -03:00
|
|
|
cscf = addr[a].default_server;
|
|
|
|
sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
|
|
|
|
|
2023-02-27 07:00:56 -03:00
|
|
|
if (addr[a].opt.quic) {
|
|
|
|
name = "quic";
|
2020-07-21 16:09:22 -04:00
|
|
|
|
2023-02-22 12:16:53 -03:00
|
|
|
#if (NGX_QUIC_OPENSSL_COMPAT)
|
|
|
|
if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) {
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2020-07-21 16:09:22 -04:00
|
|
|
} else {
|
|
|
|
name = "ssl";
|
|
|
|
}
|
|
|
|
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
if (sscf->certificates) {
|
2021-09-29 09:01:53 -03:00
|
|
|
|
2023-02-27 07:00:56 -03:00
|
|
|
if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) {
|
2021-09-29 09:01:53 -03:00
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
|
|
"\"ssl_protocols\" must enable TLSv1.3 for "
|
|
|
|
"the \"listen ... %s\" directive in %s:%ui",
|
|
|
|
name, cscf->file_name, cscf->line);
|
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!sscf->reject_handshake) {
|
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
|
|
"no \"ssl_certificate\" is defined for "
|
2021-09-29 09:01:53 -03:00
|
|
|
"the \"listen ... %s\" directive in %s:%ui",
|
|
|
|
name, cscf->file_name, cscf->line);
|
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
2020-10-22 12:02:28 -03:00
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* if no certificates are defined in the default server,
|
|
|
|
* check all non-default server blocks
|
|
|
|
*/
|
|
|
|
|
|
|
|
cscfp = addr[a].servers.elts;
|
|
|
|
for (s = 0; s < addr[a].servers.nelts; s++) {
|
|
|
|
|
|
|
|
cscf = cscfp[s];
|
|
|
|
sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
|
|
|
|
|
|
|
|
if (sscf->certificates || sscf->reject_handshake) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2018-04-24 09:29:01 -03:00
|
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
|
|
"no \"ssl_certificate\" is defined for "
|
2020-07-21 16:09:22 -04:00
|
|
|
"the \"listen ... %s\" directive in %s:%ui",
|
|
|
|
name, cscf->file_name, cscf->line);
|
2018-04-24 09:29:01 -03:00
|
|
|
return NGX_ERROR;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-10-01 09:47:55 -03:00
|
|
|
return NGX_OK;
|
|
|
|
}
|